MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

28.1.09

Danmec or Asprox, is the name of a trojan designed to recruit zombie machines while collecting confidential information from each of the victims it infects.

While the emergence of this trojan isn't new, now uses more complex strategies than those usually used by other malicious code, including its early variants, as techniques Fast-Flux to avoid detection by blocking programs and infect as many computers aspossible.

Currently, the networks Fast-Flux and massively exploited actively by thousands of Russian origin domains, activating again as that created by botnetsDanmec.

Each of these domains hosting the following script, written in JavaScript, called script.js (MD5:ccec2c026a38ce139c16ae97065ccd91), from which runs a Drive-by-Download:

This call through the iframe tag is made to a URL that is part of a network active Fast-Flux.

; google-analitycs.lijg.ru. IN A

;; ANSWER SECTION:google-analitycs.lijg.ru. 600 IN A 68.119.39.129google-analitycs.lijg.ru. 600 IN A 69.176.46.57google-analitycs.lijg.ru. 600 IN A 71.12.89.233google-analitycs.lijg.ru. 600 IN A 76.73.237.59google-analitycs.lijg.ru. 600 IN A 97.104.40.246google-analitycs.lijg.ru. 600 IN A 98,194,180,179google-analitycs.lijg.ru. 600 IN A 146.57.249.100google-analitycs.lijg.ru. 600 IN A 151,118,186,131google-analitycs.lijg.ru. 600 IN A 165.166.236.74google-analitycs.lijg.ru. 600 IN A 173.16.99.131google-analitycs.lijg.ru. 600 IN A 173.17.180.79google-analitycs.lijg.ru. 600 IN A 24,107,209,119google-analitycs.lijg.ru. 600 IN A 24,170,188,201google-analitycs.lijg.ru. 600 IN A 68.93.61.194